Improved detections, added empty and corrupt

2024-11-26 22:30:35 +00:00 · 2024-04-17 22:24:34 +02:00 · 2024-04-17 22:24:34 +02:00 · 394d3aed31
commit 394d3aed31
parent 020c58763e
1 changed files with 43 additions and 45 deletions
--- a/support/yara_patterns/tools/pe/x86/installers.yara
+++ b/support/yara_patterns/tools/pe/x86/installers.yara
@ -443,70 +443,68 @@ rule pyinstaller_27
 		all of them
 }

-rule pyinstaller_30_38
+private rule pyinstaller_3x_strings
 {
-	meta:
-		tool = "I"
-		name = "PyInstaller"
-		version = "3.0-3.8"
-		strength = "high"
 	strings:
-		$s00 = "Failed to get address for PySys_SetObject"
-		$s01 = "Error copying %s"
-		$s02 = "Error loading Python DLL '%s'"
-		$s03 = "pyi-windows-manifest-filename"
+		$s00 = "Error loading Python DLL '%s'."
+		$s01 = "Cannot open self %s or archive %s"
+		$s02 = "Cannot open PyInstaller archive from executable (%s) or external archive (%s)"
+		$s10 = /PyInstalle(m|r): FormatMessageW failed\./
+		$s11 = /PyInstalle(m|r): pyi_win32_utils_to_utf8 failed\./
 	condition:
-		pe.number_of_resources > 0 and
-		@s00 < pe.sections[2].raw_data_offset and
+		pe.number_of_sections > 0 and
+		any of ($s0*) and
+		all of ($s1*)
+}
+
+private rule pyinstaller_3x_overlay
+{
+	strings:
+		$s01 = { 4D 45 49 0C 0B 0A 0B 0E }      // PyInstaller magic number
+		$s02 = /PYZ\-\d\d\.pyz/
+		$s03 = /python3\d{1,2}\.dll/
+	condition:
+		pe.overlay.offset > 0 and
+		@s02 > pe.overlay.offset and
+		@s03 > pe.overlay.offset and
 		all of them
 }

-rule pyinstaller_39
+rule pyinstaller_3x
 {
 	meta:
 		tool = "I"
 		name = "PyInstaller"
-		version = "3.9"
+		version = "3.x"
 		strength = "high"
-	strings:
-		$s00 = "Cannot open PyInstaller archive from executable (%s) or external archive (%s)"
-		$s01 = "Cannot open self %s or archive %s"
-		$s10 = "PyInstaller: FormatMessageW failed."
-		$s11 = "PyInstaller: pyi_win32_utils_to_utf8 failed."
-		$s12 = "bpython39.dll"
-		$s13 = /PYZ-\d\d.pyz/
-		$s14 = { 4D 45 49 0C 0B 0A 0B 0E }      // PyInstaller magic number
 	condition:
-		pe.number_of_resources > 0 and
-		@s12 > pe.overlay.offset and
-		@s13 > pe.overlay.offset and
-		@s14 > pe.overlay.offset and
-		1 of ($s0*) and
-		all of ($s1*)
+		pyinstaller_3x_overlay and
+		pyinstaller_3x_strings
 }

-rule pyinstaller_310_plus
+rule pyinstaller_3x_empty
 {
 	meta:
 		tool = "I"
-		name = "PyInstaller"
-		version = "3.10+"
+		name = "PyInstaller (no data)"
+		version = "3.x"
 		strength = "high"
-	strings:
-		$s00 = "Cannot open PyInstaller archive from executable (%s) or external archive (%s)"
-		$s01 = "Cannot open self %s or archive %s"
-		$s10 = /PyInstalle(r|m): FormatMessageW failed./
-		$s11 = /PyInstalle(r|m): pyi_win32_utils_to_utf8 failed./
-		$s12 = /bpython31\d.dll/
-		$s13 = /PYZ-\d\d.pyz/
-		$s14 = { 4D 45 49 0C 0B 0A 0B 0E }      // PyInstaller magic number
 	condition:
-		pe.number_of_resources > 0 and
-		@s12 > pe.overlay.offset and
-		@s13 > pe.overlay.offset and
-		@s14 > pe.overlay.offset and
-		1 of ($s0*) and
-		all of ($s1*)
+		pe.overlay.size == 0 and
+		pyinstaller_3x_strings
+}
+
+rule pyinstaller_3x_corrupt
+{
+	meta:
+		tool = "I"
+		name = "PyInstaller (corrupt)"
+		version = "3.x"
+		strength = "high"
+	condition:
+		pe.overlay.size > 0 and
+		pyinstaller_3x_strings and
+		not pyinstaller_3x_overlay
 }

 rule installanywhere_61 {